Commit 5dd35918 authored by Igor Filippov (EPAM)'s avatar Igor Filippov (EPAM) Committed by Dmitriy Rudko
Browse files

(GONRG-1759) Fix Security response headers issue

parent c8efbf90
......@@ -44,6 +44,7 @@
<log4j-core.version>2.13.2</log4j-core.version>
<google-oauth-client.version>1.31.0</google-oauth-client.version>
<commons-compress.version>1.20</commons-compress.version>
<osdu.oscorecommon.version>0.6.9</osdu.oscorecommon.version>
</properties>
<licenses>
......@@ -320,7 +321,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>0.3.28</version>
<version>${osdu.oscorecommon.version}</version>
</dependency>
</dependencies>
......
......@@ -39,6 +39,7 @@
<aws.version>1.11.637</aws.version>
<deployment.environment>dev</deployment.environment>
<version.number>0.0.4-SNAPSHOT</version.number>
<osdu.oscorecommon.version>0.6.9</osdu.oscorecommon.version>
</properties>
<dependencies>
......@@ -56,7 +57,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>0.3.28</version>
<version>${osdu.oscorecommon.version}</version>
</dependency>
<!-- AWS-managed packages -->
......
......@@ -37,7 +37,7 @@
<project.main.basedir>${project.parent.basedir}</project.main.basedir>
<springboot.version>2.1.7.RELEASE</springboot.version>
<osdu.corelibazure.version>0.0.41</osdu.corelibazure.version>
<osdu.oscorecommon.version>0.3.16</osdu.oscorecommon.version>
<osdu.oscorecommon.version>0.6.9</osdu.oscorecommon.version>
<osdu.search-core.version>0.8.0-SNAPSHOT</osdu.search-core.version>
<spatial4j.version>0.7</spatial4j.version>
<jts-io-common.version>1.15.0</jts-io-common.version>
......@@ -79,7 +79,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>0.3.16</version>
<version>${osdu.oscorecommon.version}</version>
</dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
......
......@@ -14,9 +14,12 @@
package org.opengroup.osdu.search.provider.azure.config;
import javax.inject.Inject;
import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
......@@ -59,6 +62,8 @@ public class AzureBootstrapConfig {
return elasticCacheMaxSize;
}
@Autowired
private HttpResponseBodyMapper httpResponseBodyMapper;
@Bean
......@@ -67,6 +72,6 @@ public class AzureBootstrapConfig {
.apiKey(entitlementsAPIKey)
.rootUrl(entitlementsAPIEndpoint)
.build();
return new EntitlementsFactory(apiConfig);
return new EntitlementsFactory(apiConfig, httpResponseBodyMapper);
}
}
......@@ -54,7 +54,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>0.3.8</version>
<version>0.6.9</version>
</dependency>
<dependency>
......
......@@ -14,9 +14,13 @@
package org.opengroup.osdu.search.provider.gcp.di;
import javax.inject.Inject;
import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.config.AbstractFactoryBean;
import org.springframework.stereotype.Component;
......@@ -25,21 +29,22 @@ import org.springframework.web.context.annotation.RequestScope;
@Component
@RequestScope
public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
@Inject
private HttpResponseBodyMapper httpResponseBodyMapper;
@Value("${AUTHORIZE_API}")
private String authorizeApi;
@Value("${AUTHORIZE_API_KEY:}")
private String authorizeApiKey;
@Override
protected IEntitlementsFactory createInstance() throws Exception {
protected IEntitlementsFactory createInstance() {
return new EntitlementsFactory(EntitlementsAPIConfig
.builder()
.rootUrl(authorizeApi)
.apiKey(authorizeApiKey)
.build());
.build(), httpResponseBodyMapper);
}
@Override
......
......@@ -25,6 +25,7 @@
<properties>
<os-core-lib-ibm.version>0.0.18</os-core-lib-ibm.version>
<start-class>org.opengroup.osdu.search.provider.ibm.app.SearchIBMApplication</start-class>
<osdu.oscorecommon.version>0.6.9</osdu.oscorecommon.version>
</properties>
......@@ -47,7 +48,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>0.3.8</version>
<version>${osdu.oscorecommon.version}</version>
</dependency>
<dependency>
......
......@@ -3,9 +3,11 @@
package org.opengroup.osdu.search.provider.ibm.di;
import javax.inject.Inject;
import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.config.AbstractFactoryBean;
import org.springframework.context.annotation.Primary;
......@@ -14,21 +16,27 @@ import org.springframework.stereotype.Component;
@Component
@Primary
public class EntitlementsFactoryIbm extends AbstractFactoryBean<IEntitlementsFactory> {
@Value("${AUTHORIZE_API}")
private String AUTHORIZE_API;
@Value("${AUTHORIZE_API_KEY:#{null}}")
private String AUTHORIZE_API_KEY;
@Value("${AUTHORIZE_API}")
private String AUTHORIZE_API;
@Override
protected IEntitlementsFactory createInstance() throws Exception {
@Value("${AUTHORIZE_API_KEY:#{null}}")
private String AUTHORIZE_API_KEY;
return new EntitlementsFactory(
EntitlementsAPIConfig.builder().rootUrl(AUTHORIZE_API).apiKey(AUTHORIZE_API_KEY).build());
}
@Inject
private HttpResponseBodyMapper httpResponseBodyMapper;
@Override
public Class<?> getObjectType() {
return IEntitlementsFactory.class;
}
@Override
protected IEntitlementsFactory createInstance() {
return new EntitlementsFactory(EntitlementsAPIConfig
.builder()
.rootUrl(AUTHORIZE_API)
.apiKey(AUTHORIZE_API_KEY).build(), httpResponseBodyMapper);
}
@Override
public Class<?> getObjectType() {
return IEntitlementsFactory.class;
}
}
......@@ -16,32 +16,31 @@ package org.opengroup.osdu.search.middleware;
import java.io.IOException;
import java.time.Duration;
import java.util.List;
import java.util.Map;
import javax.inject.Inject;
import javax.servlet.*;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.google.common.base.Strings;
import org.apache.http.HttpStatus;
import org.opengroup.osdu.core.common.http.ResponseHeadersFactory;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.core.common.model.http.Request;
import org.opengroup.osdu.core.common.http.ResponseHeaders;
import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
//@Component
@Component
public class CorrelationIDRequestFilter implements Filter {
private static final String OPTIONS_STRING = "OPTIONS";
@Inject
private DpsHeaders requestHeaders;
private ResponseHeadersFactory responseHeadersFactory = new ResponseHeadersFactory();
// defaults to * for any front-end, string must be comma-delimited if more than one domain
......@@ -51,8 +50,11 @@ public class CorrelationIDRequestFilter implements Filter {
@Inject
private JaxRsDpsLog logger;
private static final String OPTIONS_STRING = "OPTIONS";
private static final String FOR_HEADER_NAME = "frame-of-reference";
@Override
public void init(FilterConfig filterConfig) throws ServletException {
public void init(FilterConfig filterConfig) {
//None
}
......@@ -64,8 +66,7 @@ public class CorrelationIDRequestFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = null;
HttpServletRequest httpRequest;
if (request instanceof HttpServletRequest) {
httpRequest = (HttpServletRequest)request;
} else {
......@@ -82,30 +83,28 @@ public class CorrelationIDRequestFilter implements Filter {
}
String path = httpRequest.getServletPath();
if (path.endsWith("/liveness_check") || path.endsWith("/readiness_check"))
return;
String fetchConversionHeader = ((HttpServletRequest) request).getHeader(FOR_HEADER_NAME);
if (!Strings.isNullOrEmpty(fetchConversionHeader)) {
this.requestHeaders.put(FOR_HEADER_NAME, fetchConversionHeader);
}
HttpServletResponse httpResponse = (HttpServletResponse) response;
requestHeaders.addCorrelationIdIfMissing();
this.requestHeaders.addCorrelationIdIfMissing();
Map<String, String> responseHeaders = responseHeadersFactory.getResponseHeaders(ACCESS_CONTROL_ALLOW_ORIGIN_DOMAINS);
for (Map.Entry<String, String> header : responseHeaders.entrySet()) {
httpResponse.addHeader(header.getKey(), header.getValue().toString());
}
httpResponse.addHeader(DpsHeaders.CORRELATION_ID, this.requestHeaders.getCorrelationId());
requestHeaders.put(DpsHeaders.CORRELATION_ID, requestHeaders.getCorrelationId());
chain.doFilter(request, response);
httpResponse.addHeader(DpsHeaders.CORRELATION_ID, requestHeaders.getCorrelationId());
// This block handles the OPTIONS preflight requests performed by Swagger. We
// are also enforcing requests coming from other origins to be rejected.
if (httpRequest.getMethod().equalsIgnoreCase(OPTIONS_STRING)) {
httpResponse.setStatus(HttpStatus.SC_OK);
}
chain.doFilter(request, response);
logger.request(Request.builder()
.requestMethod(httpRequest.getMethod())
......@@ -115,5 +114,4 @@ public class CorrelationIDRequestFilter implements Filter {
.ip(httpRequest.getRemoteAddr())
.build());
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment